mysterious complaints from my ISP - could it be Beagle?
Jim Cornette
fc-cornette at insight.rr.com
Thu Jan 18 03:01:17 UTC 2007
P Jones wrote:
> On 1/17/07, Claude Jones <claude_jones at levitjames.com> wrote:
>> For several months now, a box I have up on the net at the office has been
>> generating the occasional complaint from my ISP. They generally a few
>> lines
>> from a report they've received which are largely uninformative except
>> for the
>> fact that they contain the word SPAM in them. I've run port scans,
>> chrootkits, monitored my logs, and several other things, and have
>> never found
>> anything. Every time I call them, they tell me it's probably someone
>> masquerating as me. Just now, I've gotten a fresh complaint which
>> contains
>> the following lines reported to my ISP reported to them by whoever their
>> upstream provider is (I think it may be Global Crossing)
>>
>> 7784 | 207.188.230.120 | 2007-01-16 14:53:27 cbl SPAM | ATLANTECH -
>> Atlantech Online, Inc.
>> 7784 | 209.183.239.194 | 2007-01-16 17:46:43 cbl SPAM | ATLANTECH -
>> Atlantech Online, Inc.
>> 7784 | 65.79.236.162 | 2007-01-16 01:57:58 w.php srcport 2875 BEAGLE |
>> ATLANTECH - Atlantech Online, Inc.
>> 7784 | 65.79.236.162 | 2007-01-16 06:30:47 w.php srcport 4544 BEAGLE |
>> ATLANTECH - Atlantech Online, Inc.
>> 7784 | 65.79.236.162 | 2007-01-16 15:44:26 w.php srcport 3805 BEAGLE |
>> ATLANTECH - Atlantech Online, Inc.
>>
>> The third through fifth entries are the first time Beagle has ever
>> appeared in
>> these reports. Does anyone have an insight to what this could be
>> about? By
>> the way, the first line IP address is my box - the other IP's are
>> unknown to
>> me - maybe they don't even apply. It's funny because when I call tech
>> support
>> and try to ask them about it, they're always apologetic, and don't really
>> know what these reports mean either...
>> --
>> Claude Jones
>> Brunswick, MD, USA
>
> Claude;
>
> Looks like Atlantech is your ISP, and the three last IPs are infected
> with a Beagle trojan variant:
>
> http://www.symantec.com/security_response/writeup.jsp?docid=2005-122421-0146-99&tabid=2
>
>
> It also looks like your IP and the second IP are being flagged as spam
> sources. Your IP is in the CBL, you can see it here:
>
> http://cbl.abuseat.org/lookup.cgi?ip=207.188.230.120&.submit=Lookup
>
> There are directions on the pagge referenced to delist your IP.
>
> -P
>
I'm surprised that it is a beagle giving trouble on the winnt side of
the fence.
I guess our beagle is let out of the pound for this episode.
Jim
--
One nice thing about egotists: they don't talk about other people.
More information about the users
mailing list